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From: 

Sent: riday, February 12. 2016 11:55 AM 

To: 

Subject: TWIFURTANT: WeeKly ACES Update -- UNCLASSIFIED 


Classification: UNCLASSIFIED 


OS ee te See Se ee oe Se Se ee ee c/s Sc co So Sore 


Advanced Collaboration Enterprise Services (ACES) 
Creating a Common Operating Environment (COE) for MOD Collaboration Enterprise 


This is a weekly status update on ACES for all relevant stakeholders. Highlights/Changes in Ree 
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From: | | 


























Sent: Thursday, May 12, 2016 1:39 PM 

To: 

Subject: IMPORTANT: Weekly ACES Update —- UNCLASSIFIED 
Attachments: MOD MMG Update ACES Deployment 11 May 16.pdf 


Classification: UNCLASSIFIED 
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Advanced Collaboration Enterprise Services (ACES) 


Creating a Common Operating Environment (COE) for MOD Collaboration Enterprise 


This is a weekly status update on ACES for all relevant stakeholders. Highlichts/Chanves in Rad 
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See et ere eee ee 





























From: 

Sent: Tuesday, August 09, 2016 3:03 PM 

To: 

Ce: 

Subject: Mission Opportunity 2016-003: Advanced Collaboration Enterprise Services (ACES) - FULL 


DEMO AVAILABLE —- UNCLASSIFIED 


Classification: “UNCLASSIFIED 


ma ae ee eee ee ee a ae eee oe eee 


All, 
Please be aware that a full ACES capabilities demo will be taking place this Friday (August 12") at the ACES Lab 
in Arlington from 1 to 3 pm. 

, If you are interesting in attending, please contact =o the TO Line to confirm attendance and 
obtain meeting details. . 
Cheers, 
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From 

Sent: -Tuesdav. Januarv 05. 2016 8:56 AM 

To: 

Ce: 

Subject: “MOD - ACES #200233 - IATT approval -- UNCLASSIFIED 








and 





























Request your approval of ACES so they can continue to test and complete the RMF steps. It 
shouid be in the DAO’s queue 


























FYI - We have an ACES status meeting from 3-4pm | today as well, looks as though neither of you were not 
invited to. ‘ 


| was hoping the [ATT could be approved before the meeting if possible. 


Thank you, 
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From: _ 

Sent: ursdav. October 15.2015 11:33 AM 
To: 

Subject: Project 





[sf MOD Advanced Collaboration Enterprise Services in Your DAO Queue -—- 
UNCLASSIFIEDAFOYO— 


Classification: UNCLASSIFIED//®ouvo— 


Just letting you know that RMF Steps 1 & 2 have been closed for Xacta project | __|ACES / Advanced Collaboration 
Enterprise Services]. The IATT Task request is currently in your queue. 


Thank you, 
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From: | | 

Sent: edav March 18 9046 44-43 AM 

To: 

Ce: 

Subject: RE: ACES Reapprove fix Xacta — UNCLASSIFIEDAFSuo— 


Classification: UNCLASSIPIED//Fe8e— 














Thanks 

From: | 
Sent: Tuesday, March 08, 2016 11:41 AM 
To: 

Cc: 








Subject: RE: ACES Reapprove fix Xacta --- UNCLASSIFIED/#F@ve— 


Classification: UNCLASSIFIED//reso— 


Done, but the line you pasted below shows it was approved already, that is all you need. 

















From: | 
Sent: Tuesday, March 08, 2016 ia AM 








To: 
Ce: 
Subject: ACES Reapprove fix Xacta --~- UNCLASSIFIED//Feve— 








Classification: UNCLASSIFIED//A®ou0o— 























Can you correct the IATT task back to DAO approved? Screen grab below. 
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1/6/2016 12:55:25 - - DAG Rep Alt 





Workflow was modified 


Approve 
1/5/2016 10:40:31 - - BAO (Gov Only) 














Approved 


id Recommend: APPROVE 
12/29/2015 11:23:42 - - DAS Rep 

















Thank you, 














Classification: UNCLASSIFIED//®ouo—_ 


Approved for Release: 2018/07/1 9 C05113002 


Approved for Release: 2018/07/19 C05113002 


ee a gv Severe ere 





























From: a 

Sent: _Friday. June 10.2016 11:08 AM 

To: 

Ce: 

Subject: RE: ACES - FAT Compiete - SAT Scheduling --- UNCLASSIFIED#F6ve— 


Classification: UNCLASSIFIED/7/Fote— 


Hil | (including the NROC Directors as well in the email chain), 


This looks good. 














One important point of clarification for the DAO...since ; has agreed to receive the SAR on| ] 
| | we want to make sure that the 


ATO approval from the DAO occurs on as well. 














This gives the NROC (and MS&0O) a concrete timeline to deploy the rest of ACES into the NROC and NRO Situation Room 
starting on 5 July. 





thoughts? 











Best, 




















From: 
Sent: Friday, June 10, 2016 10:44 AM 











ubject: RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED//FO@U6- 


Classification: UNCLASSIFIED/ #rese- 


ee es eo ee ee eed = = = = 
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Following is the agreement we came to today for ACES 














Please correct me if | misstated something. Thanks! 























From: 
Sent: Friday, June 10, 2016 9:16 AM 











Subject: RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED/FE¥E— 


Classification: UNCLASSIFIED//Feve— 


FI SSSSS SSK MIS SMM SS ee ee ee eee 
—— A a a a oe a oe a a ee ee oS SS SS SSS SSS sss sss esse 








Hi 








Is ACES a COI asset? | was wondering if it makes sense to assign another SCA to either assist you, or take it over? My 


only concern is the time it will take another SCA to come up to speed on this asset. 
Thanks. 














How quickly can we get ACES through TSB? It is an asset that has a program set deadline. Asset 






































Thanks! 


Let me know your thoughts on what | proposed in the first paragraph to | have cc’d ail the alternate SCAs listed on 





this asset. Thanks! 




















From: 
Sent: Tuesday. June 07. 2016 12:57 PM 
To: 

Su + RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED//FEeyo— 
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Classification: UNCLASSIFIED/7reve— 




















(U) If you have any other questions please let me know. 


v/r 




















Bic 

Sent: Tuesday, Jun 
To: 
Subject: RE: ACES - FAT Complete - SAT Scheduling -- UNCLASSIFIED/Feve— 














Classification: UNCLASSIFIED//Feve- 





Hi 











Just wanted to keep this between us... 



































How can we shorten this to get as close to for an ATO as possible? 





Best, 
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From 
Sent: Tuesday, June 07. 2016 10:59 AM 




















7 KE. ACES = FAT Complete = SAT scneduling --- UNCLASSIFIED//Feve— 
Classification: UNCLASSIFIED//#Peve— 



























































v/r 























oe | 
Sent: Mondav, June 06. 2016 2:46 PM 
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“SUIDJeCT: KE! ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED//Fove— 


Classification: UNCLASSIFIED/ +FeUe- 


He 


Thanks for the update. Based on thel | testable items within Xacta, what are the actual dates for the following: 





1) ARR 
2) SAT 
3) SAR/ATO 





We have to put concrete markers in the calendar so that we can plan/execute at all the deployment sites. Based on our 
last meeting on 14 April, we agreed to a worst case scenario of is have an ATO w/ POAMs in 
hand. That gives us| days to hit this deadline. 




















Are we going to make it? If not, we need to be able to justify this slip. 


Best, 

















son 
Sent: Thursday, June 02, 2016 7:24 AM 














Subject: RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED//reve— 


Classification: UNCLASSIFIED/ /reve— 














(U//FOUG}i am currently trying to get your controls implementation to export from Xacta, | am at 8 mins and counting. | 

have not seen anything yet that is a problem that would make it so we could not move forward with an ARR. | did notice 

that the Compliance self-test document in Xacta is) pages long with a default of _|lines per page. in contrast to this 
has only pages at__llines per page. 








(U//FO6} Why this poses a problem is that, the information entered in Compliance Self-test filters into my 
independent testing task when it opens and then down into Security Assessment>>Analyze Controls tasks. So all of 
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those items in the Compliance Self-test and Independent Testing tasks will have to be answered in the Security 
Assessment task. That may be at its worst in upwards off | items that have to have a risk rating assigned and 
information verified. This information is then passed over to the DAO-Rep in the POAM Monitoring task. The DAO-Rep 
then has to answer each and every one of these as either a POAM item or reject it. 


(U/FEUEH telling you this because all of this takes time in Xacta and will delay the development of SAR and the 
completion of the ATO w/POAM to get the program to step 6. So while | am at the off-site for the rest of today and out 
‘tomorrow. The program folks may.want to take a careful look at what they marked for testing to see if there is anything 

they can take out. So when we go into the later steps it does not take as long to get through them. 


(U//EOUO}We can discuss the actual test cases as part of the ARR just to make sure everyone has a complete 
understanding. If you have any questions please let me know. 


v/r 






































KE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED 


Classification: UNCLASSIFIED 


Hi) | 


Just following-up... We are nearing the end of three weeks this week for the document review. We haven't received 
any questions, so am | to assume everything is looking good? 


Will you be done this week and can we go ahead and schedule the SAT for next week? 
Thank you! 


Best, 
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From: 
Sent: Mav 23. 2016 12:52 DM 








ubject: RE: ACES - FAT Complete - SAT Scheduling -- UNCLASSIFIED 


Classification: UNCLASSIFIED 


lam in the process of reviewing your documents and it will take about three weeks to get through all of the information 
and get questions answered as they come. 


v/r 























From: 
r 7-26 AM 











Subject: RE: ACES - FAT Complete - SAT Scheduling ~-- UNCLASSIFIED 


Classification: UNCLASSIFIED 


HL | 


Just following-up....have you had a chance to look at your calendar and find a date to review all the materials as well as 
schedule the SAT? 


Best, 
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From: 
Sent: Tuesday, May 17, 2016 10:39 AM 











Subject: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED 


Classification: UNCLASSIFIED 





Hi 











We completed the ACES FAT yesterday! !t took approximately four (4) hours to complete the functional testing and the 
CTP. We are ready to now complete the SAT! (I’m excited if you can’t tell...) 


Based on the length of time required for the FAT, | suspect we can complete the SAT in less than a day. What do we 
need to do to get this on the calendar as soon as possible? 


What do we need to do in order to be ready for the SAT? Where do we ship the equipment (through MS&O) and set up 
the server, one operator workstation, etc.? 


Thank you. 


Best, 














See eee ee es ee ee re i re ae i a re re re 0 cee ee ee es ee 
Se ieee eee Soe Sem Sams comm Sac SG: cy Se Sem ce seme moms meme seam ake Seah ehen Ses Ses Same ams Som SO WM) Ma se met my Ser See Sen Sem sees mas Soc monet mt Sem NM Sees Soon om Sane See sommt mone Soo Smog mont Senet 


Classification: UNCLASSIFIED 
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Classification: UNCLASSIFIED 
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aad iar eee een eee ee 


From: | 




















Sent: Friday, June 10, 2016 11:06 AM 

To: 

Ce: 

Subject: : ACES - FAT Complete - SAT Scheduling -- UNCLASSIFIED/FOU0— 


Classification: UNCLASSIFIED//Prese— 















































From: 














: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED//F6¥o— 


Classification: UNCLASSIFIED//Peve— 


ee ee ee see See ee mee cme ga, — cree ee ee ee ee 


Hi All, 





Following is the agreement we came to today for ACES | 
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Please correct me if i misstated something. Thanks! 


























Subject: RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED/FEve— 


Classification: UNCLASSIFIED/ /reve— 


Is ACES a COl asset? | was wondering if it makes sense to assign another SCA to either assist you, or take it over? My 
only concern is the time it will take another SCA to come up to speed on this asset. 
Thanks. 


| 


How quickly can we get ACES through TSB? It is an asset that has a program set deadline. Asset | Thanks! 


feed 


Let me know your thoughts on what ! proposed in the first paragraph tol | {| have cc’d all the alternate SCAs listed on 
this asset. Thanks! 























From: 
Sent: Tuesday, June 07. 2016 12:57 PM 
To: 

Su TRE! ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED/#-oue— 




















Classification: UNCLASSIFIED/ freus— 
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(U} Even if we tested tomorrow there would be no way to get an ATO by next Thursday. The times are as soon as | am 
available. Coordinating 3 test events at this time including yours. | am getting you in for ARR as soon as is possible. | can 
go into testing as soon as the day after ARR, if your team is ready. 


(U) Because of the size of the information that has filtered down into Compliance Self-test and will therefore be present 
in the later tasks | work in Step 4. It is going to take me that long to go through and get the correct information into the 
POAM. The length of time it takes me to do the SAR is relative to how well the testing goes. The better the testing the 
quicker | can produce a SAR. If there are items that fail or go wrong during testing then | will need to get further 
information from the program before moving the project into Step 5 for the DAO-Rep and DAO to work. 


(U} If you have any other questions please let me know. 


v/r 


























fine 07 Ini 11-62 AM 














- FAT Complete - SAT Scheduling --- UNCLASSIFIEDAFO¥O— 


Classification: UNCLASSIFIED/7Treve— 








Hi 








Just wanted to keep this between us... 

















How can we shorten this to get as close to for an ATO as possible? 


Best, 
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From) 
Sent: Tuesday, June 07, 2016 10:59 AM 











ubyect: RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED//F6vE— 


Classification: UNCLASSIFIED//reve— 


(U) We can do ARR 22 Jun and determine a test day/time before that meeting convenes. 


(U) We do not have any requirement to do the meeting face-to-face with your project. So we can do it virtually over the 
phone ona conference call. Just need to make sure that you are available and present at the meeting or another 
Government rep of your choice, as long as the program has a government rep on line for the meeting. If Government 
representation for the program does not dial/show-up then the ARR is marked as a failure for non-Government 
participation. 


(U) The only part that will slow us down is getting through the 8 pages of test items during the independent testing and 
security assessment tasks. | hav once testing is completed to compile my report and get the Liens in for 


inclusion in the POAM.| 


























(U)Our office does not control the ATO completion that is the DAO’s office. | am honestly not sure how long that is 
taking at present it would be better to get with the DAO-Rep to determine a time line. 


v/r 























eal 
Sent: Monday, June 06, 2016 2:46 PM 

















WuUPSCK KC. ACCS - PAT COMpImele ~ SAT scneauiing --- UNCLASSIFIEDFOUS— 
Classification: UNCLASSIFIED//eve— 
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Hi 

‘Thanks for the update. Based on the, within Xacta, what are the actual dates for the following: 
1) ARR 
2) SAT 
3) SAR/ATO 


We have to put concrete markers in the calendar so that we can plan/execute at all the deployment sites. Based on our 
last meeting on 14 April, we agreed to a worst case scenario of ito have an ATO w/ POAMs in 
hand. That givesus) days to hit this deadline. 























Are we going to make it? If not, we need to be able to justify this slip. 


Best, 

















From: 
Sent: Thursdav lune 02 20146 7-94 AM 

















Subject: RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED/#-OU0— 


Classification: UNCLASSIFIED/ +#esgo— 














(U/AFEUO}! am currently trying to get your controls implementation to export from Xacta, | am at 8 mins and counting. | 

have not seen anything yet that is a problem that would make it so we could not move forward with an ARR. | did notice 

that the Compliance self-test document in Xacta is| | pages long with a default of _ fines per page. In contrast to this 
has only | pages at, _ fines per page. . 








(U//FE86}Why this poses a problem is that, the information entered in Compliance Self-test filters into my 
independent testing task when it opens and then down into Security Assessment>>Analyze Controls tasks. So all of 
those items in the Compliance Self-test and Independent Testing tasks will have to be answered in the Security 
Assessment task. That may be at its worst in upwards of items that have to have a risk rating assigned and 
information verified. This information is then passed over to the DAO-Rep in the POAM Monitoring task. The DAO-Rep 
then has to answer each and every one of these as either a POAM item or reject it. 














(U/AFE¥9} | telling you this because ail of this takes time in Xacta and will delay the development of SAR and the 
completion of the ATO w/POAM to get the program to step 6. So while | am at the off-site for the rest of today and out 
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tomorrow. The program foiks may want to take a careful look at what they marked for testing to see if there is anything 
they can take out. So when we go into the later steps it does not take as long to get through them. 


(U//FOUC}We can discuss the actual test cases as part of the ARR just to make sure everyone has a complete 
understanding. If you have any questions please let me know. 


v/r 





rc 





























ect: RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED 


Classification: UNCLASSIFIED 


Hi 


Just following-up... We are nearing the end of three weeks this week for the document review. We haven't received 
any questions, so am | to assume everything is looking good? 





Will you be done this week and can we go ahead and schedule the SAT for next week? 
Thank you! 


Best, 























From: 
Sent: Monday, May 23. 2016 12:52 BM 
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Subject: RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED 


Classification: UNCLASSIFIED 





{am in the process of reviewing your documents and it will take about three weeks to get through all of the information 
and get questions answered as they come. 


v/r 




















From: 
Sent: Friday, May 20, 2016 9:36 AM 














Subject: RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED 


Classification: UNCLASSIFIED 


Hi | 


Just following-up....have you had a chance to look at your calendar and find a date to review all the materials as well as 
schedule the SAT? . 


Best, 























From: 
Sent: Tuesday, May_17, 2016 10:39 AM 
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Subject: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED 


Classification: UNCLASSIFIED 


Hi 


We completed the ACES FAT yesterday! It took approximately four (4) hours to complete the functional testing and the 
CTP. We are ready to now complete the SAT! (I’m excited if you can’t tell...) 


Based on the length of time required for the FAT, | suspect we can complete the SAT in less than a day. What do we 
need to do to get this on the calendar as soon as possible? 


What do we need to do in order to be ready for the SAT? Where do we ship the equipment (through MS&O) and set up 
the server, one operator workstation, etc.? 


Thank you. 


Best, 
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nee ee eee eee 





























From: | 

Sent: Friday, June 10, 2016 1:08 PM 

To: 

Ce: 

Subject: hee AVEO = TAT CUMpets = SAT scneduiing --- UNCLASSIFIEDAFOUS— 


Classification: UNCLASSIFIED//Peve— 


__| will do my best, but it also depends on the findings that come out of testing, what the reviewing DAO Rep [As 
finds, and what POAM items will need to be addressed. You will know what is up because you will have to 
coordinate on the POAM. : 





BTW, | am out July 5-8, so we will either be done by 1 July or my boss will handle it. 


Vr 




















From: 


Sent: ——- 10. 2016 11:08 AM_ 














Subject: RE: ACES - FAT Complete - SAT Scheduling --- UNCLASSIFIED//F6ve- 


Classification: UNCLASSIFIED//reue— 


Qe ea ee eee a ee eee ee ee ee see = 
SSS SSS SS LS SS SL SS SSL SSS SS ST TS SSS LS cS SS SS SS SS 


Hi] _| (including the NROC Directors as well in the email chain), 


This looks good. 
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ae Ee eer ee eee ev 
From: | 


Sent: 
To: 




















Ce: 
Subject: fo si Rep concerns --- UNCLASSIFIED/F6ve—. 














Signed By: 





Classification: UNCLASSIFIED//Frege— 


‘tee seer Sore eR EE eee ree mete see ste soe ty nnte su ms anne nn toe voy nin emma femme cms eine sme sus 046) nny Se fein sees comme SEE meh ces Spey cre eee fees me SEED fees SMEG hey oy Gee hoes ee ne sath net 
x<xKg SSS SS lS SSS SSS I TS SS SS Sl SS SS SS SS SLT SS SS SS CIS SS SS 


Great notes ~ Thank you! 





Update: TSB, confirmed yesterday that they will be able to test ACES on 29 December. Both the tester and 
will be going to ACES in Arlington. said that it won’t be complete FAT testing due to the fact they don’t 
currently have their CTP updated. 


aa 


Please correct me if | misunderstood what you said at the Staff meeting yesterday. Thanks. 









































From: 
Sent: Tuesdav. December 32.2016 5-29 DM 














Subject: RE: ACES DAO Rep concerns --- UNCLASSIFIED//F6eu6e— 











Classification: UNCLASSIFIED/ APeve- 


Fie ae iene Sem ae SES Sow a me sone ach Sen cms Soe See ee Se Gee ene oad Se See ks Some! eee men Se Snes Sa Gee et aueeg Soe SS et ee Se Sa ee Se Se SS See eae eee ee ee SY ee Se Se 


DAOs| lead}, 


Here’s the latest and the way ahead on MOD’s ACES (Advanced Collaboration Enterprise Services / Project) 
effort: 
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It’s 5:30 on Tuesday and it is quiet as a mouse here. | see is still working. 











Thank you and good night, 

















Sent: Mondav. Decemher 31-2016 6:12 AM 
To: 
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Deas RE: SRT Minutes for ACES ---F6P-SEERET//SHTRNOFORN 


Classification: 














Classified By: 
Derived From: NRO Launch IPG dated 20090202 
Declassify On: 20401231 



































(U/AFGUOF! thought | uploaded the minutes but after re XACTA is not there. 


























FYI: My email and network drive data was completely deleted however; please see the SRT details below: 











was the DAO rep 

















UNCLASSIFIEDAFete— 


10 June 2015 SRT 


(U/Foue}— 











(U//Foue}- 














(U/AFevoy— 

















System connectivity: (U/7FOUG} 
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o Information Types: (U//FO06}- 




















(UA FEXeyY 

C.3.5.8 System and Network Monitoring Information Type 
D.1.1 Mission Information Type ; 

during SRT) 

C.2.8.12 General Information Type 

SRT) 


Summarized Categorization: 





Final Categorization: 








Risk Adjustments Justification: 
(U/AFOV6F Integrity: 
(U/fFOO+Availabili 























(U/7PE-¥6} ACES consists primarily of a server and video switcher that allows analysts the ability to change the 
presentation view by manipulating pixel space on the monitor. ACES eliminates the need for iew 
multiple screens of data 











Additional connections or classification levels will require a new SRT considered an A&A relevant and REL will change. 


V/R, 




















From: 
Sent: Monday, December 21, 2015 5:14 PM 
To: 
Ce: 
Subject: RE: ACES DAO Rep concerns --- UNCLASSIFIEDAFEe0e— 


























Classification: UNCLASSIFIED/ #+Peve- 


a a ee ed 
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Appreciate the email, diagram updates, and questions. Good Job. As it stands keep pressing forward to get the ground truth. 
will help with the CDS stuff and n help cover as alternate. Feel free to pull in help when needed. 














is the DAO until we determine the CDS nature of this asset, at which point we'll let decide if he should inherit. 
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A TEM is important to stop the conjecture, ask some pointed questions regarding the CDS intent, and determine what the goals/ 
milestones are for this assets mission. 


| trust this is in good hands and you all can back brief me when | get back. 
Cheers, 


From: 
Sent: Monday, December 21, 2015 3:15 PM 





























H S| [DAO Rep concerns --- IFIED, 
Classification: UNCLASSIFIED//A®ouQ 


Se ete eee mee ee me weet Sam tote ne sane se ene ened pene mee soene tet sm tee ME ey ny er NES NEN nes nnns ug od SANS ened See Ser OE ee cee en een SEED nhs ents te ee SS oe ee see 
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Please see my modified network diagram (attached). | have modified this attachment from the version submitted in 
Xacta. | have attempted to clarify some questions | have and some confusion introduced by the diagram itself. This 
diagram came listed with connectivity this time (was not on the originals). | deleted the 
connections as | thought that was confusing. Please see if this makes sense and if my 
questions/comments in (RED, best | could do in paint) will help us move forward. 



































My concerns are: 




















| have also attached the version loaded in Xacta for reference, hope this helps. Please let me know you thoughts or pass 
on to the engineers to answer. 


v/r 
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Classification: UNCLASSIFIED 














How’s it ane First time bugging you... Do you happen to have the meeting minutes or any other SRT documentation 























for ACES Looking for any REL info/coordination, list of stakeholders/attendees, and info types agreed to. 
Thank you, 

Asche | 

Sent: Friday, December 18, 2015 ae AM 

To: 








Subject: FW: SRT Minutes for ACES --- UNCLASSIFIED 


Classification: UNCLASSIFIED 


Pee ee ee ee ee ee ee ed 
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From 
Sent: Thursday, December 17, 2015 4:14 PM 











To 
4, See Minutes for ACES -~- UNCLASSIFIED 


Classification: UNCLASSIFIED 


ee ee eae ee ee ed 











Hi 














= was the DAO Rep for the ACES system, and we completed the SRT on [| 
| never did see any minutes come out of the meeting. Is there an archive folder or any 
document library that may contain this document? 


| figured its worth trying. 


Thanks ! 
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From: | 


























Sent: Wednesday, D 8:45 AM 

To: 

Ge: 

Subject: RE: ACES DAO Rep concerns -- UNCLASSIFIEDAF606— 











Classification: UNCLASSIFIED/ /A®oue-— 

















That's correct, and are going down on the 29 December to take a better look at the Workstation and 
Once the CTP and SCTP are finalized we expect there to be some additional testing in January. 


























Regards, 

















From: 
Sent: Wednesday, December 23, 2015 8:29 AM 

















Subject: RE: ACES) =——/ DAO Rep concerns --- UNCLASSIFIED//Feve— 


Classification: UNCLASSIFIED/7/Feve~ 


Hi 


Great notes — Thank you! 

















Update: TSB, confirmed yesterday that they will be able to test ACES on 29 December. Both the tester and 
will be going to ACES in Arlington. said that it won’t be complete FAT testing due to the fact they don’t 
currently have their CTP updated. 


| 


Please correct me if | misunderstood what you said at the Staff meeting yesterday. Thanks. 
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From: 

Sent: Friday, September 16, 2016 12:12 PM 

To: 

Ce: 
Subject: 21 September 2016 SETR Agenda --- UNCLASSIFIED 


Classification: UNCLASSIFIED 


All, 


(U) The next Systems Engineering Technical Review (SETR) is scheduled as follows: 














(U) The agenda is as follows: 
*  (U) Advanced Collaboration Enterprise Services (ACES) MOAP Case (SED, 











(U) Briefing charts will be posted to the SETR SharePoint as (see the link 
to the briefing under the “Agendas” section for this meeting date). 


Vir, 
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From 

Sent: Tuesday, March 08, 2016 11:21 AM 

To: 

Ce: 

Subject: ACES Reapprove fix Xacta --- UNCLASSIFIEDAF6ve— 





Classification: UNCLASSIFIED/ /rese— 




















This asset has an JATT until 














| 


Can you correct the [ATT task back to DAO approved? Screen grab below. 














1/6/2016 12:55:25 - - DAO Rep Alt 





Workflow was modified 


Approve 
1/5/2016 10:40:31 - - DAO (Gov Only) 














Approved 


a Recommend: APPROVE 
12/29/2015 11:23:42 - 





- DAG Rep 




















Recommend pie of the new LATT for ACES to continue testing and implementation. 


Thank you, 
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From: 
Sent: _Tuesdav. September 05 9017 4:12 PM 
To: | 
Subject: “Conversation with 
Greetings just an FYI about the IATT pending in your queue for Also, I wiil be working the ATO 








request this week and will eer ae this week on the status. 











[4:10 PM]: 





104. More to follow on 
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From: 
Sent: Tuesday, September 05, 2017 1:45 PM 
To: 
Subject: Conversation with | 
[1:32 PM]: 
Greetings just an FYI about the IATT pending in your queue for Also, I will be working the ATO 


request this week and will follow up later this week on the status. 
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From: 
Sent: 06.2017 12:33 PM 


To: 
Subject: Conversation with! 






































\[12:09 PM): 
You should see the (ACES) ATO and IATT in your queue. I am working with the program to update their 
POA&M in parallel 














{12:20 PM]: 
got it...will get to it today or tomorrow 
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| | 


From: | 


























Sent: _Tuesdav. Sentember 27. 2016 10:35 AM 

To: 

Ce: 

Subject: Extension Request for [ATT (Operational) for Advaced Collaboration Enterprise Services 


(ACES) --- UNCLASSIFIED 





Classification: UNCLASSIFIED 














As you know our IATT is set to expire si We have not yet received the final determination from Mr. Duncan on 
the ATO. I’m requesting a|__ day extension until the VIAB team can give the hot wash brief to Ms. Courtney whom will 
intern meet with Mr. Duncan. 

Regards, 
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From: | 




















Sent: Frida PM | 

To: 

Subject: FW: ACES - Important - Please read-- UNCLASSIFIED -- UNCLASSIFIED 
Importance: High 


Classification: UNCLASSIFIED 


FY] — ORR request before connections. 











From: 
Sent: Friday, June 24, 2016 2:16 PM 











Subject: FW: ACES - Important - Please read-- UNCLASSIFIED --- UNCLASSIFIED 
Importance: High 


Classification: UNCLASSIFIED 


ee ee ee ede ed 
Se oot oe Se SS SS SS SS Se Se oe eee See Se SS ee Se Se oe Se Se Se cae ee ow So Ss oe om es ee OND eee Soe mt ce mee eee ees es Se ee Se ee 


All, 

Please see direction below from D/MOD. ACES will need to go through an ORR BEFORE it can be connected to any USG 
IT system — this includes nd any mission partner systems. More to come, but please continue to support 
A&A activities in anticipation of an ORR to be scheduled. 


Thank you, 




















From: | 
Sent: Friday, June 24. 2016 1:47 PM 

To: 

cc 

Su 7 — 











Classification: UNCLASSIFIED 
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Team, 


(UH#66}Thank you for the updates on the ACES program. I can see that we are making good progress. As we are 
nearing the end of the accreditation process, | would like to insert an Operational Readiness Review gate for the 
program once the accreditation is complete. To that end, any work and tasks supporting the Assessment and 











Authorization (A&A) of the system at 

















The ACES servers in the server room may 
remain in place but may not be connected until after the successful completion of the ORR. 

















Thanks, 

















From: 


_Sent: Friday. Juné 17. 2016 1:44 PM 











Fn, a a a 
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Subject: IMPORTANT: Weekly ACES Update --- UNCLASSIFIED 


Classification: UNCLASSIFIED 


Advanced Collaboration Enterprise Services (ACES) 


Creating a Common Operating Environment (COE) for MOD Collaboration Enterprise 


This is a weekly status update on ACES for all relevant stakeholders. Highlights/Changes in Red. 
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Best, 
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From a | 

Sent: onday, May 02, 2016 10:54 AM 

To: | 

Ce: 

Subject: > ACES IOC v FOC ke UNCLASSIFIED --- UNCLASSIFIED 


Classification: UNCLASSIFIED 


one 


FYI - This just came in from it’s a better explanation of his IOC v FOC intent. 




















Thanks, 


[| 


From: | 
Sent: May 02, 2016 10:49 AM 














Subject: RE: ACES IOC v FOC --- UNCLASSIFIED 


Classification: UNCLASSIFIED 
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Best, 

From: 

Sent: Wednesday, April 27, 2016 4:25 PM 
Ta: 











Subject: ACES IOC v FOC -- UNCLASSIFIED 


Classification: UNCLASSIFIED 














I’ve been talking to a few folks recently about ACES IOC vs FOC capability and it seems we all have a slight variation of 
our understanding of what we get with each milestone. 


Would you please provide me the definitions/capabilities of each? | plan to share it with the team (and site leadership, 
as necessary), to ensure everyone hears the same information. 


Thanks in advance, 
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From: 

Sent: 07.2017 8:32 AM 

To: 

Subject: Fw: Advanced Collaboration Enterprise Services (ACES) [Xac' one 
UNCLASSIFIED/-e¥ve— 

Attachments: PKl_Testing_Procedure.docx; Audit Compliance Checklist 5 May 201 7_v2.pptx; 

















Briefings-ABAC - July 201 7version.pptx 








Classification: UNCLASSIFIED//reve— 




















and/or 














Are you able to provide me background information on 
























































2017 4:19 PM 

















= RE: Advanced Coilaboration Enterprise Services (ACES) [Xacta ~-- UNCLASSIFIED//Feve- 


Classification: UNCLASSIFIED//APeve- 














Requirements: 
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You can update the apps inventory information 
here:| 




















Let us know if you have questions. 
































Regards 

ei 

Sent: 2017 9:57 AM 

Subject: Advanced Collaboration Enterprise Services (ACES) [Xacta ~-- UNCLASSIFIED 





Classification: UNCLASSIFIED 





| ‘ended his full-time orders in May and was the ISO / Program Manager for this effort 
within MOD. He did not provide me any good documentation upon his departure and my Xacta knowledge is » 
limited (I am in the project as the ISO), so P’ ve had challenges getting useful information out of there. I’m 


attempting to get a solid understanding of where ACES is in the ICD-503 process and how it is faring with 
required | 














As an in-development system currently in the 


That 
SS ever So I need to spend some time on ACES and prepare for it to become an 


operational project (in case that’s where the decision ultimately ends). 




















Any assistance from ATD or DAO on where the project is and what it still needs to do would be greatly 
appreciated. 





On bit of information I was able to find in Xacta was that the IATT is due to expire | Is 
that true? Ifit is, what are our options and responsibilities? 





Cheers! 
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UNCLASSIFIED/Beue- 


_NATIONAL RECONNAISSANCE OFFICE 


(U)Enterprise IT Audit 
Compliance Checklists 


(U) COMM 1 COMM, 

















5 May 2017 
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OC) (WU) Audit Compliance 


¢ (U) NRO ISOs are responsible for making their applications _ 
compliant with IC audit standards, and monitor that compliance 


e (U) There are a number of steps to audit compliance: registration, 
onboarding, compliance and continuous monitoring 
e (U) EITA — Audit-as-a-Service — will work with ISO’s to connect their systems to 
Aaa& collectors 


¢ This process called “onboarding” results in a “Active/Enabled & Non-compliant status” reporting from 
EITA for most systems 


ISO’s may have additional work to do to achieve compliance [ASD controls and with ICS 500-27 and 
be able to get audit liens closed by DAO/Reps. 











¢« (U) COMM has developed high-level checklists to help ISO’s 
determine what they need to do to get compliant with audit controls and 
standards 


* These are general task summaries of what must be done; programs may have specific actions as well 
¢ These checklists support both systems which connect to AaaS and non-connected systems 


It is the responsibility of the ISO to provide proof that their application/ system Is 
(oro) an)®) | =)are vice) cleo ie sit-|arer-|aels) yale) ere) luge) sy arent Ceri =e prove otherwise 











UNCLASSIFIED /LEQUO. 
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a (U) Audit Process 
oe (U) High level summary 





* (U) Primary participants: 
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Graphic is Unclassifiedsé=oue— 
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(U) How to get Audit-compliant checklist — 
__ connected systems | 


























Table is U/Aeyo— 
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(U) How to get Audit-compliant checklist — 
_...disconnected systems* __ 























Table is U/AROUQ_ 
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a | — (U) Audit Compliance - Liens © 


* (U) What constitutes compliance with ICS 500-27 from a lien 
perspective? These activities are required to close audit liens. 
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(U) Links to checklist resources 





Onboard with NRO Apps inventory 


aad, 


2 Onboard with EITA 

4 Assign Audit Risk Lane 

5 Develop Compliance Plan 
6 


Complete audit worklists 











11. ~—° Generate audit events commensurate with 

TARL 
8 Configuring stand-alone systems @ 
(stand- Microsoft Word 
alone) 


Document 
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Table is Unclassified/=Ovo- 
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Fe NATIONAL RECONNAISSANCE OFFICE 


(U) Attribute-based Access Control 
~ (ABAC) Overview 


(U) COMM: - COMM/ 
Scope and Compliance Verification 























1 May 2017 
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_ (U) What’s ABAC? 


¢ (U) Attribute-based access control (ABAC) is sida 
that uses the attributes of a person or non-person entity 


~ to control access to data based on pre-determined — 
policies 


e (U) ABAC improves infomation security by dynamically 


controlling access to data or applications which provide 
access to data 














UNCLASSIFIED 
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(U) Why is this important? 





(U) IC Enterprise services are available to support cybersecurity initiatives to 
provide key enablers to defeat insider threats 










Community Audit 
Exchanges 








ts} 





Navaielo ass 





PDP Policy Decision Point 

PIP Policy Information Point (attribute storage) 

; Graphic is Unclassified 
Lp fel Moo Fraphic is Unclassi 
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(U) ABAC Background © 


(U) ICS 500-30 signed 24 April 2014, 2 years to implement 
(U) ICS 500-30 specifies ABAC, ICS 500-24 PKE is an enabler 


¢ Two parts: Assign attributes to personas, enable information resources — " apps 
and data 


(U) NRO IASD Rev. C (June 2015) levies specific ABAC controls 


(U/FOYO} NRO CIO Policy Note 2016-02 30 March 2016 


* COMM to stand up ABAC infrastructure, including enterprise attributes, PEP, 


PDP, common controls provider, API gateway to integrate with NRO IdAM and 
IAA services 


* Enterprise services now available; MSS v3.0 in FY17 
e ISO serves in role as data steward for NRO-owned data, implement ABAC and 
document in SSP 


¢ Data Stewards define access policies and work with Information System Owner 
(ISO) to implement 


e (U) Use of IC ITE services may require ABAC* 


*NCC Decision Brief-2015-08-28 NRO Applications Readiness for IC ITE 
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‘2: (U) Which NRO Applications need ABAC? 





¢ (U) NRO CIO stated 














¢ (U) COMM: 


























* (U) ABAC binning approved by NRO CIO 
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© (U) What does this mean? 


e (U) If an application has restrictions on who can access it 
or the data within, based on user attributes, then likely it 
has an ABAC requirement 


« (U) Data Stewards can ask this question: “Does this 
application have rules that restrict access to the 
application or underlying data, or can anyone access it?” 


¢ If the answer is “Yes, not everyone has access’, then there is 
likely an Access Control (AC) requirement 


¢ If there is an Access Control requirement, then ask “can | 
enforce this rule based on the attributes (AB) of the user?” 
¢ Formula: AB + AC = ABAC 


¢ How you technically-enable is a separate discussion 
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UNCLASSIFIED 


6, | (U) ABAC Decision : 


_¢ (U) Data Stewards review their current access 
requirements to make an ABAC determination 


Are there access Do those policies use 
restrictions to the ot, What are those access baa a, the attributes of users or 
resource (application or . policies? | NPE s to make access 


data)? decisions ? 


INCA? =10]8)| [ere dle) a1 
implement enterprise Are those attributes 
capability, legacy ABAC is a requirement available within the 
eye)e) erclile as ono ae of the system enterprise attribute set or 


fe) 8) @)deroveia) =] ale] aeniy, It available elsewhere? 
meets ABAC controls 
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O __ (U) Key ABAC compliance elements 











¢ (U) Current & DAO/Rep assessment 
elements review: 
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(U) ABAC Status 















































(U) monitors all NRO PKE/Audit in-scope applications 
to determine ABAC binning; data steward are now self-identifying 
and making final determination reviewing plans for 
compliance compliant CSO, ABAC Binning 






































waivered apps (U) Graphics are Unclassified 
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(U) Next Steps for ISO’s 


e (U) Register app in NRO Apps Inventory 
e (U) If not going to ABAC enable: 

¢ File waiver with ClO 

¢ Turn off system 
e (U) Determine ABAC status 


e lf required, develop plan for compliance, send to COMM 
mailbox 
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(U) Resources 


¢ (U) Cookbooks and implementation guides 


° PKE 
° Audit 
¢ ABAC 


e (U) RADT Developer 
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(U) PKE/Audit /ABAC Initiatives 


° (U/FQUO) White fouse’ Ss Nearien iNieasuree to Redlics the Risk of > 


- Conduct a review of all information sharing 
portals hosted on classified computer networks to ensure each requires 


authentication (via PKI per IC) and supports enterprise audit. Non-compliant 




















portals shail be appropriately secured or removed. 








e (U) ICS 500-24 - Web-enabled information resources of IC intonmanen 
domains shall 


e (U/FOYS) ICS 500-27 - Intelligence Community IC elements shall audit 
information resources within the IC information resources to protect national 
intelligence, identify threats (including insider threats), detect and deter 











penetration... signed in 2011; 




















¢ (U) ICS 500-30 Enterprise Authorization Attributes: Assignment, Sources and 
Use for Attribute-Based Access Control of Resources, signed 24 April 2014, 2 
_ years to implement 
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(U) ABAG-specific 
controls will be allocated 
for in-scope assets 


(U) Steps to ABAC 
Success translate into 
ABAC compliance 
activities 
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(U) RMF Step 2 





| the information system shall enforce appro 
authorizations forlogical access to information and system 
resources in accordance with applicable access confrol 
aE idenfly-based policies, role-based policies, 
atiribute-based policies). Source: NIST SF 00-53AC 
AC213 é information System Owner sha 26 access to fha 
infomation system based on oer tributes as equted by 
jated missions/business functions. 


the organization or 
[Source: NISTSP 00 SSAC. i3} 


‘The information System Owner shai allow ind 
to associate, and maintain the association of sacuily 
poems bese ees and objects In accordance with 


owes AISTSP 800-53 AC-16(8)] 
For Altnbute-B aor foaarpmloe fag apo the Informatio 


System Ovmer shall implement a Policy Enforcement Poirt 
(PEP) solution to enable atiribute-based access controls 
{ABAC) on all infomation resources In accordance 
intelligence Community Standard 500-30. [Source: 
Intelligence Communiy Standard 500.30} 


For Ath Based Access », the information 
Eee Oane tho inclenne role Niicnobon Pecos 
(PIP), Policy Decision Points (PDP), and Policy 
Administration Points (PAP) to enable atiibute-based 
access conirols (ABAC) on all information resources in 
0 Ce CET ie + 

e information System Owner shall develop a secunily pla 
for the information system that. 
a. ts consistent with the organization's enterprise 


architecture; 
b. Explicitly defines the authorization boundary forthe 


system, 

c. Describes the operational context of the information 
system in terns of missions and business processes, 

4. Provides the security categorization of the infomation 
system including supporting rationale; 

e. Describes the operafional environment for the information 
Piped and retationships with or connections to other 


f T Provide er Dvoneiea of ie sects ocauveisanls ttn 


system, 

g. Wentifies any relevant overiays, if applicable; 

h. Describes the security controls in place or planned for 
leer hci nae at forthe 


tailoring 

Lis ‘reviewed and approved the autheaizing offical or 
representative prior to plan implementation. 

Source: NIST SP 800-53 PL.2 a] 
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O (U) RMF Step 3 | 


e (U) Within Step 3 of RMF, the ISO will determine how to enable ABAC 
¢ ISO Implement Security Controls 
¢ Link to Implementation Options 


Build internal 
PEPSPDP 
et attributes from 







Cl@ Approval? 
Goto Oviect 


Build internal PEP/ 
Use SP POP 


Graphe is U nck ssified 





Application {URL 


Use SP PEP and PDP 
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—(U) ABAC Remediation | 


* (U) For programs that have a defined requirement, 


acquisition plans are required, POAM’s and liens maybe 
next 
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(U) ABAC FAQ 


(U) “What is the deadline” 

















(U) I'm Bin 3. What do | have to do? 














(U) “My COTS application uses RBAC. Is that ABAC-compliant?” 








(U) “I'm an IIR and | use the OIN to authenticate. Will this work with ABAC?” 

















(U) “Is PKE required to do ABAC?” 
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User 








PEP 
PDP 
PAP 
PIP 





$-Fue 





Protected 
Resource 


Figure is UNCLASSIFIED 


Policy Enforcement Point 

Policy Decision Point 

Policy Administration Point (policy storage) 
Policy Information Point (attribute storage) 
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(U) ABAC Steps 


@ User attempts to access a protected resource; 


© PEP intercepts request and requests access 
decision from PDP; 


© PDP requests policies for access contro! 
decision; 


© PAP returns applicable policies; 
© PDP Requests attribute for user/resource; 
© PIP returns applicable attributes; 


@ PDP Returns Access Decision; 


© If successful, access to protected resource; 


@ Access/Denial 
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App Components 
with external and 
internal data 
sources 


NPE systems 
(Web Servers, 
App Servers, 
Applications) 
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(U) Typical Web Application ABAC Steps 


ay 





a 


3 












Data Access Policies 
Obtain PKI Certificates 


- Obtain NPE PKI if your web server does not 
already have one 

A - Provide web server PKI certificate/key-pair 
to IAA or IdAM 


Tules for web server URLs 


Web App, External PEP/PDP 

- Lock down web server to prevent end- 'S 

users from circumventing the PEP (iptables, 

etc.) 

- IffAA, update DNS to route web site 
requests to the Access IT! SAMS PEP 
address and no longer the web server 

- if idAM, implement code in application to 
redirect to the gateway appliance 


Web App as PEP, External PDP 

- Update web app to implement 

enforcement of access control decision 

received from PDP 

- IfJAA, configure web app to connect to 
Access!T! CAM using SOAP or RESTful 
interfaces 5 = 

- IfidAM, configure web app to connect to. ~~ 3 Re 
OES using REST a 7 





= 


Web App as PEP/PDP, External 


F 


: - IfidAM, configure web app to pull fr 


: - TIAA, configure web app to connect to 


’ Attributes 
- - Update web app to make and enforce 
: policy rules 


a3 







At 
AccessiT! Attribute service using compiled 
WSDL (Oracle, JBOSS, Tomcat) or SOAP —-- 
Attribute Web Service 


attributes from IAMS (SCIM, LDAP, SQL); 


ISO & Data Steward Responsibility 
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Create data access policies or 


id 
Complete Final Steps 
- Complete NRO RMF 
process; Obtain NRO CIO 
ABAC enablement approval 




















[AA/IdAM ABAC Services 
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Attribute Name Description 


Admin Organization Reflects the home organization of the enti 
Specifies the authority(ies) under which the enti 
is authorized to access and/or discover protecte; 
Authority Catego! resources. 
Authority to Operate is attribute indicates the Authority to Operate 
tatus (ATO) status for the non-person entity. 
Authorized IC Person __Reflects whether or not the entity is an AICP 
Reflects the clearance or classification level of 
Clearance the enti 
Reflects the citizenship(s) of affiliation(s) of the 
ounitry of Affiliation enti 


Digital Identifier Reflects the DN from the entity's PKI certificate 


Reflects the assigned organization of the enti 
lassification and handling of the entity's digital 
ity Mark identifier 


Reflects the type of enti 

Reflects the fine grain access aspects of control 

systems Compartments or dissemination controls 
and SAPs of the enti 

List of other IC networks or domains to which an 
entity's digital identifier may be transmitted 

Reflects whether or not the entity is a member of 

is IC Member the IC 

indicates the life cycle phase in which the enityt 

is operating 

indicates the individual countries or larger sub- 
egions such as geographical areas of combatani 

command Areas of Responsibility (AORs), Areas 

of interest (AO!s), or State and Non-State 

Region Actor(s 

indicates the position, job or area of responsibil 

associated with the enti 


ndicates the particular intelligence subject area 


rm 
= 














| 
Fine Access Controls 
IC Networks 
Life Cycle Status 
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(U) UIAS 3.0 Enterprise Attributes (17) 


(U) Unified Identity Attribute 
Set (UIAS) is a DNI technical 
specification mandated for all 
of the IC 
¢ (U) 17 Enterprise 
Attributes currently defined 
e (U) UIASv2014-DEC adds 
two additional 
environmental attributes 
(certificate authority and 
originating network); has 
yet to be adopted by IC 
(U) Blue Highlighted attributes 
are minimum needed 
information resources hosted 
within the Utility Component 
that are JWICS facing (2PI 
Ready) 
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PKI Testing Procedure 
This memo describes the Public Key Infrastructure (PKI) testing procedure for validation of PK 
compliance of web URLs. FireFox version 38.7.0 is used for the examples. 


Table of Contents 





1. One-Time Setup Steps 
1.1 FireFox Web Browser Setting - Request User Certificate 
1.2 Import Certificate Authorities (CAs) into FireFox 
1.3 Valid User Certificate 
1.4 Revoked User Certificate 
1.5 Expired User Certificate 


2. PKI Testing 

2.1 Prepare Document For A Batch Of Tests 
2.2 Test Each URL 

4.2.4 Initial Certificate Tests 

2.2.2 Revoked User Certificate Test 

2.2.3 Expired User Certificate Test 

2.2.4 Post-Test Browser Clean Up 

2.2.5 NRO Applications Inventory Update 
2.3 Finishing Step 


Appendix A. Report Template 
Header Script 


Appendix B. Example Report Data 
Example of a Summary Results Table 
Example of a Test Results Table 


| Appendix C. Test Procedure Flow Chart 
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1. One-Time Setup Steps 


1.1 FireFox Web Browser Setting - Request User Certificate 
In the Firefox browser, select “Ask me every time” under Options -> Advanced -> Certificates. 







Cut Copy Paste 
- 100% + 
oc «os 
New Window New Private Seve Page 
0 Advanced 
= © © Q 
Print History Ful} Semen General Data Choices Network Update Certificates 
-_ 
Fisd Coys a When a server requests my personal certificate: 
in] Select one automatically 
¢ o 
# ‘ 
Developer : 
Q Query OCSP responders servers to confirm the current validity of certificates 
9 © soninw ge i ‘ 
3 Customize e View Certificates Security Devices 


1.2 Import Certificate Authorities (CAs) into FireFox 


1. Click on “View Certificates” in Options -> Advanced -> Certificates. 
: BS an, 






$f Options « i 
RFS ole, sn 


te 


© _Oliretox sboutpreferencestsdvanced 


Advanced 


General Data Choices Network Update 


When a server requests my personal certificate: 
Select one automatically 
@ Ask me every time 


Query OCSP responder servers to confirm the current validity of certificates 


View Certificates Security Devices 
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APPLICATION 
READINESS 










2. Select “Authorities” and scroll to “U.S. Government”. 


IC NRO CA3 
IC PE Common Services CA3 


Delete or Distrust. 


The current CAs are: 


iC PKI Root CA 2 ICiITECA1 








ICPKI DIA CA4 
IC PKI Root CA 3 ICPKI Common Services CA3 ICPKI NRO CA 3 


IC PKI Root CA4 ICPKI NSA CA 3 ICPKI NGA CA 2 


ICPKI CIA OFFLINE CA ICPKI CIA CA4 ICPKI NGA CA3 
ICPKi COE CA 2 ICPKI CIA CA 3 









if any IC CA certificates are missing, download them from 
| and import them into Firefox. 





1.3 Valid User Certificate 
1. Obtain your PKI user certificate (if you don’t already have one) from here: 

















2. Save the Certificate on your H: drive. 
3. Import your PKI user certificate into Firefox. Press “Import” under the “Your Certificates” tab. 
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1.4 Revoked User Certificate 
1. Arevoked certificate can be created by revoking your own certificate at ) 
| Select “Revoke My User Certificates” located at the bottom of the right pane. (It may take hours 
before this certificate is distributed in the Certificate Revocation List (CRL).) 
2. Note the information that differentiates this certificate (such as the serial number or expiration 
date) so you can select it from the browser pop-up menus in the future. 











‘This certificate has been verified for the: 
SSL Client Certificate 


‘Email Signer Certificate 
te 














1.5 Expired User Certificate 
1. Request a new user certificate. Specify that it should expire tomorrow. 
2. import the certificate. (See 1.3 step 3.) 
3. Record how to identify this expired certificate {i.e. by the serial number). 

















4. After the new certificate has expired, request a new, valid user certificate by repeating the steps 
in 1.3. 


Note that certificates from the IAMS “PKE Testing using NRO Test PKI Certificates” 











site’s Certificates are only for test web sites and cannot be used for with this procedure for testing 
production sites. 
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2. PKI Testing 


2.1 Prepare Document For A Batch Of Tests 


1. Create test report document based on the template in Appendix A. 


2. Obtain the list of URLs of the sites to test. Create a table of application URLs with Asset name, 
Acronym and ID. 


Application information taken from the NRO Application Inventory often contains multiple URLs 
per application. Extract each URL so that the resulting list contains one URL per entry. Clean up 
the data URLs; Remove non-URL text, commas, white space, etc. 


3. Create Test Results tables. To document the test artifacts and results, one test results table 
should be created for each URL. Place each table on separate page. 


ID ID Auniber UD frony NRO Apes Inventory of ani dex Alay append the Acrenym. 


Asset Name Name ofthe application 
URL Address to test 


User cert Yes or No. (Was there a pop-up requesting a user certificate selection?) 
requested? 

Server cert | Answer “Yes” if https URL and no server certificate error is seen. If there is a server 
accepted? certificate error, answer “No” and include a snapshot of the error. 


(Nelememicl Vblietg: (eee Oise Clonee 


Resulting | Snapshots of pages and pop-ups. Include the address bar when available. 
Page(s) 
Short interpretation of the results. 


PN@eiciost Witte ecwe lacie! becia  @ ciaie 


Resulting | Snapshots of pages and pop-ups when accessing the site with a revoked user 
Page (s) certificate. Include the address bar when available. 


Short interpretation of the results. 


Access With Expired User Cert 


Resulting | Snapshots of pages and pop-ups when accessing the site with an expired user 
Page (s) certificate. Include the address bar when available. 
Short interpretation of the results. 


Status Overall results of the test: “Pass”, “Inconclusive”, “Prevented” or “Fail” (with reason). 
























(For large URL lists, see the appendix A for a Script to help with creating the test tables.) 
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2.2 Test Each URL 

2.2.1 Initial Certificate Tests 
1. Locate a Test Results table for a URL to test in the report document. Get the URL value. 
2. Start with a fresh Firefox browser session. 
3. Enter the URL to test in the address bar and press Enter. 


4, if there was a connection error, such as a timeout, DNS lookup failure, cannot communicate 
with external server, connection refusal, server not found, etc., record in the Status box of the 
Test Results table that the test was “Prevented because of connection.”. A snapshot of the error 

(including the Address bar) may be placed in the box “User cert requested?”. Example: 

ID 123 

Asset Name xXyY/ 

URL https://xy7.com 

User cert 





requested? 


© ss btepe yecom we FC Seech 


@ Server not found 


Firefox can't find the server at xyz.com, 


Test prevented because of connection. 


The test is done. Skip to 2.2.4 Post-Test Browser Clean Up. 


5. if there is a security error such as a secure connection fail or if a basic authentication pop-up 
appears or if the web site page is displayed, then record “Fail” in the Status box of the Test 
Results table. A snapshot of the error may be placed in the “user cert requested?” box. 
The test is done. Skip to 2.2.4. 


6. Auser certificate pop-up (“User Identification Request”) should appear. 


if your certificate is not prompted for and the web site content is displayed, then enter 
“No” inthe “User cert requested?” box and 
“Fail” in the “Status” box 

of the Test Results table. The test is done. Skip to 2.2.4. 





if your certificate is prompted for, record “Yes” inthe “User cert requested?” box in the 
Test Results table. 


7. Select the good certificate. Leave the “Remember this decision” box checked and click OK. (No 
need to take a snapshot of this.) This dialog may pop-up multiple times (even though 
“Remember this decision” was checked) because of redirections. Select the good certificate 
each time. . 
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This site has requested that you identify yourself with a certificate: 














Organization: “U.S. Government" 
issued Under: “U.S, Government" 





Details of selected certificate: 














8. After selecting your good user certificate, the server certificate is checked by the browser. If 
there is a “This Connection is Untrusted” pop-up, expand the “Technical Details” section and 
take a screen-shot of it and place itin“server cert accepted?” box along with the answer 
“No”. 

ID fO suraiber UD from NRO Apps liventory or an index). May append the 
ACEORYD), 

Asset Name = Natine of ie application. 

URL Address to test. 


User cert Yes. 
requested? 


Server cert 
accepted? 











‘You have asked Finefex ba connect secureby 
confirm thet your connection is secure. 


Normally, when you try to connect securely, sites wil present trusted identification te prove 
that you are going ts the right place. However, this site’s identity can't be verified, 


What Should 1 Do? 


B you usually connect to this site without problems, this error could maun that someone is 
trying to impersonate the sitz, and you shouldn't continue. 


* Technical Details 


[cy ent 


The certificate is not trusted because the issuer certificate is unknown, 
(Error code: sec_esror_unlenown issuer) 
’ [Understand the Risics 


BF you understand what's going on, you can tel Firefen be start trusting this site's 
ident®ication, Even if yaus trust the site, this enor coudd seem that soersone bs 
tarapering with yew connection. 

Den't add an exception unless you know there's a good rencon why this site doesn't use 
trusted identification, 


Cee > 
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Expand the “| Understand the Risks” section. If there is no “Add Exception” button, record 
“Prevented because of bad server certificate.” in the status box of the Test Results table. The 
test is done. Skip to 2.2.4. 


if there is an “Add Exception” button, then click on it. (More information can be gathered by 
clicking on “View” and taking screen shots.} Click on “Confirm Security Exception” to continue 
testing this URL. 


If there is no “This Connection is Untrusted” pop-up, then record “Yes” inthe “Server cert 
accepted?” box. 


9. Take a screenshot of the web page contents that is loaded and save it in the “Resulting 
Page (s)” box. (include the Address box.) 
(Notes ele Croce: Cs 14 Cage 
Resulting 
Page (s) 














10. Enter the meaning of the results in the “Meaning” box. If you see your account name displayed 
or a recognition of your identity, then record that. Example: “Identified user based on 
user certificate”. If no recognition of your identity but site contents displayed, you might 
record that the site “Allowed access when given a valid user certificate’. 


11. Prepare for the next part of the test by clearing the recent history and exiting the browser. 
(Refer to 2.2.4 for details.) 
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2.2.2 Revoked User Certificate Test 
12. Start with a new Firefox browser session. 
13. Enter the URL in the address bar again and press Enter. 


14. When your user certificate is prompted for by a “User Identification Request” pop-up, select the 
revoked certificate. Leave the “Remember this decision” box checked and click OK. This dialog 
may pop-up multiple times. 


15. Take a screenshot of the web page contents that are displayed and save it in the “Resulting 


Page (s)” box. 
Access With Revo ked User Cert 


Resulting — | if 1313-Foridden Chent cet. x 
Page(s) é 


(U) Access Denied 


(U) 403.13 - Forbidden: Client certificate has been revoked on 














the Web server. 


(¥) Your client certificate wes raveked, or the raevecation server could not be contacted. A 
Secure Sockats Layer (881) cllent certificate ts used for Kientifying you as a valid user of the 
resource. 


ee ee 3 wrt ce 8, a ged eae el 
fects fo 


16. Enter the meaning of the results seen (when the revoked certificate was given) into the 
“Meaning” box. Enter the overall test results in the “status” box. 


For example, if the contents of the web site are displayed, you could enter “Allowed access 
when given a revoked user certificate” as the meaning and enter “Fail” as the 
overall status. The test is done. Proceed to 2.2.4. 


If there was no indication that the certificate was recognized as revoked, then “No indication 
that the revoked user certificate was rejected” could be entered as the meaning 
and “Inconclusive” be entered as the overall status. (This is the case where the exact same 
access-not-allowed page is displayed for both the good certificate and the revoked user 
certificate.) The test is done. Proceed to 2.2.4. 


if a page appears stating that access is denied because the user certificate is revoked, then the 
meaning would be “Site blocked access to revoked user certificate’. 


17. Prepare for the next part of the test by clearing the recent history and exiting the browser. 
(Refer to 2.2.4 for details.) 
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2.2.3 Expired User Certificate Test 
18. Start with a new Firefox browser session. 
19. Enter the URL in the address bar again and press Enter. 


20. When your user certificate.is prompted for by a “User Identification Request” pop-up, select the 
expired certificate. Leave the “Remember this decision” box checked and click OK. This dialog 
may pop-up multiple times. 


21. Take a screenshot of the web page contents that are displayed and save it in the “Resulting 


Page(s)” box. 
Deecce Gee Ucetase (cc S= 2 
Resulting 403 - Forbidden: Access is dena. x (OME: 


Page (s) ry oer ag ta oece ee P 



















erver Error 


403 - Forbidden: Client certificate has expired. 
You de nat have permission to whew this directory or page using the credentials that you suaplied. 


Site blocked access to user with expired certificate. 
[Status | Pass Ci‘ ‘é‘CC*d 


22. Enter the meaning of the results seen (when the expired certificate was given) into the 
“Meaning” box. Enter the overall test results in the “status” box. 










For example, if the contents of the web site are displayed, you could enter “Allowed access 
when given an expired user certificate” as the meaning and enter “Fail” as the 
overall status. The test is done. Proceed to 2.2.4. 


if there was no indication that the certificate was recognized as expired, then “No indication 
that the expired user certificate was rejected” could be entered as the meaning 
and “Inconclusive” be entered as the overall status. (This is the case where the exact same 
access-not-allowed page is displayed for both the good certificate and the expired user 
certificate.) The test is done. Proceed to 2.2.4. 


if a page appears stating that access is denied because the user certificate is expired, then the 
meaning would be “Site blocked access to user with expired certificate”. 


? 
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2.2.4 Post-Test Browser Clean Up 


23. Clear recent cookies, cache, active logins, offline website data and site preferences. Click “clear 
your recent history” under Options -> Privacy. 
















ms 2p 


© Oretor sbotepreferncetpive Qo = WS Cl 





i) Privacy 
Q 
= Tracking 
a Tell sites that Ide not want to be tracked 
Leam More 
Ro 
a History 
- Firefox wil Remember history - f 
(@) Firefox will remember your browsing, download, form and search history, 


and keep cookies from websites you visit. 


You may want@p clear your recent history, ggremove individual cookies, 


Location Bar 
When using the location bar, suggest. 
¥ History 
Boolgnarks 
¢ Gpen tabs 


& 





24, Exit the browser. 


& Options 


€_OFicetox sboutpreferencestp OO Seaech 





2.2.5 NRO Applications Inventory Update 


25. Inthe “Audit/PKE Compliance View’ (or the first “PKI Verification” view), update the 
@ “A&CS:PKE Compliance Verification” to the status of the test for the URL, and 
© “A&CS PKE Verification Date” to the date the test was performed. 
e  {f the URL tested is missing from (or has changed in) the NRO Applications Inventory, then 
update the URL value in the inventory. 


26. Perform test procedure for the next web site URL. 





2.3 Finishing Step 
Populate the Summary of Results table. See Appendix B for an example. 


You may wish to add statistics and/or a chart for larger reports. 
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Appendix A. Report Template 
From: <Your name>, comm 
Date: 2016-05-13 
Subject: PKI Verification Test Results 


This is a report of the results from the PKI tests on the given URLs. Each PKI enabled site is expected to 
require a user certificate. If the site requested a certificate, a valid user certificate was provided and a 
home page, login page or access denied page was expected. Then, using a fresh browser, the site was 
tested again with a revoked user certificate. The site is expected to check the Certificate Revocation List 
({CRL} and recognize the revoked certificate and prevent access to the site. 


Summary of the Results 
Server Access With Access With 


8) Stat 
Cert Good User Cert Revoked User Cert 


Test Table Field Definitions 
















Description 
1D number (from NRO Application Inventory) and optional Acronym. 
Name of application. 

The address to test. 

“Yes” means there was a pop-up requesting a user certificate selection. 
Server cert accepted? “Yes” means that there was no server certificate error for the https URL. 
Resulting Page(s) Snapshots of resulting pages and pop-ups. 

Meaning Short interpretation of the results. 

Status Overall result of test: Pass, Inconclusive, Prevented or Fail. 


ID (Acronym) 

Asset Name 

U. 

User cert requested? 


Status Definitions 


Site required a user certificate. 

Home or login page was accessed with a valid certificate. 

Site blocked access when a revoked user certificate was provided. 

Testing results did not provide enough information to positively conclude that 
the site passed or failed. One such case is where the site required a user 
certificate but access was prevented for both valid and revoked user certs and 
no reason was given; There was no information to indicate that the server 


recognized that the revoked user certificate was revoked. 


Test prevented because of | Could not perform PKI test on server due to connection problems such as DNS 
connection. lookup failure or connection timeout. 

There were issues with the site’s server certificate (such as inadequate cert 
type, weak ephemeral DH, bad domain, CN or SAN does not match host name, 
unknown issuer) that prevented testing. 


Completed the PKI test. Either the site did not require any certificate for access 
or it allowed access when given a revoked user certificate. 


Test prevented because of 
bad server certificate. 





Page 12 
UNCLASSIFIEDA-FEe¥E— 
Approved for Release: 2018/07/19 C051 13002 


elle =: 





Approved for Release: 2018/07/19 C05113002 


UNCLASSIFIED//FOUG 


“3% IT TRANSFORMATION OFFICE 


PKI Testing Procedure 


Test Data 

Results of the tests for each URL follows. 
BEB) 

Asset Name 

URL 

User cert 

requested? 

Server cert 

accepted? 


Resulting 
Page (s) 


p Access With Revokec 


Resulting 
Page (s) 


Resulting 
Page(s) 


End of template. 
Header Script _‘if there are many URLs, using this script to generate headers may save some time. 





# PKI_Test_Headers.psl1 PowerShell script to generate PKI Test Page Headers given a 

# 'PKI Test URLs.csv' CVS file. 

# 

# The CVS file should contain these column names (which are suitable as property names): 
# ID Asset Acronym URL . 


Set-ExecutionPolicy Unrestricted; ### Must be entered by an Admin. 
### If no Admin, then the following script must be entered on a single line. See below. 


Import-CSV -Path '.\PKI Test URLs.csv’ | 
ForEach-Object © 
{ 
$i $_.ID; 
$n = §_.Asset; 
$a = $_.Acronym; 
$u = $_.URL; 


Write-Output "ID $i (Sa) “nAsset Name $n“nURL SuUser cert requested? 
“nServer cert accepted? “naAccess With Good User Cert . “nResulting Page(s) 
“nMeaning “nAccess With Revoked User Cert “nResulting Page(s) “nMeaning 
“nStatus ~n-n“*Le"; 


} | 


Out-File PKE Test_pages.txt 


### Same script but on a single-~line: 

Import~-CSV -Path '.\PKI Test URLs.csv' | ForEach-Object { $i = $_.ID; $n = $_.Asset; $a = 

$_.Acronym; Su = $_.URL; Write-Output "ID $i ($a) "nAsset Name $n~nURL $uUser cert 

requested? “nserver cert accepted? “nAccess With Good User Cert “nResulting Page(s) 
“nMeaning “nAccess With Revoked User Cert “nResulting Page(s) ~nMeaning 
“nStatus*n“n*L?"; } | Out-Pile PKE_Test_pages.txt 


### Apvend the contents of PKE Test pnages.txt to the document and convert text to tables. 
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Appendix B. Example Report Data 


Example of a Summary Results Table 


Server Access With Access With 
(Geiad (eveyere| Uris Gara Revoked User Cert 


FB) 
Allowed access when Blocked access when 
AIRBRUSH | 2235 Good given a valid user ‘| given a revoked user 
certificate. certificate. 
P No indication that the 
ser based o 
A 123 Good sciatic Piel ty " revoked user certificate 
‘ was rejected. 
Displayed page. Displayed page. 
NA Did not ask for a user Did not ask for a user Fail 
certificate. certificate. 
Displayed page Allowed access when 
789 Expired Accepted user cert. given a revoked user Fail 
certificate. 





























Asset Status 













BC 
DEF 
GHI 
JKL 





Weak Prevented 
server because of 

012 ephemeral be a bad server 

DH ke certificate. 

Prevented 

‘ connection. 


Good "Your sign-in attempt “Your sign-in attempt 
failed. Please try again." | failed. Please try again." 
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Example of a Test Results Table 
ID 2235 (AIRBRUSH) 
Asset Name (Uj AIRBRUSH 
URL 


User cert 
accepted? 
PNe@o cic \aiest Crelelot Wici-e Gl ora.e 


Resulting fe Becta ee | 
Page(s) a G Qscorrh OES Ht A > BR 


























Web site contents provided for user with good certificate. 
Access With Revoked User Cert 
Resulting ¥f 403.13 - Forbidden: Cent cetif.. x ee se ce 
Page (s) 











(U) 403.13 - Forbidden: Client certificate has been revoked on 
the Web server. 

(U) Your cHent certificate was revoked, or the revocation server could not be contocted. A 
Secure Sockets 


Layer (981) cient certificate is used for identifying you ns a valid user of the 
resource. 





Web site access prevented for user with revoked certificate. 
(Neowesc Walieie Weqenuia—e) ices @ aka 
Result ing 408 - Forbidden: Access is dena... Ee: ata .. 
Page (s) & | 








erver Error 


403 - Forbidden: Client certificate has expired, 
- You do nat have permission te view this directory or page using the credentials that you suppliad. 


Web site access prevented for user with invalid expired certificate. 
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Appendix C. Test Procedure Flow Chart 
This is the test procedure above represented in a flow chart. 














Page 16 
UNCLASSIFIEDAFEeV0— 
Approved for Release: 2018/07/19 C051 13002 





